Enable breadcrumbs token at /includes/pageheader.html.twig

Keys to Building A World-Class Cybersecurity Workforce

Success stories offer insights into how to move forward.

The most senior military cyber warfighters have defined the challenge of building a world-class cybersecurity workforce: We have great performers but not enough. Our accessions can barely keep pace with attrition; but we are scheduled to grow. We need a viable plan to increase capacity.

During a panel session at the Cyber Education, Research and Training Symposium (CERTS) in Augusta, Georgia, cybersecurity leaders discussed how to build the people who can protect the nation against the tens of thousands of very high-end professionals that Russia and China are putting out.

Their success stories served as case studies for how the cybersecurity community can move forward in attaining such talent.

James Lyne of Sophos has spent the last seven years trying to solve the problem of how to develop very high-end talent, mostly in the United Kingdom. He started an extracurricular program, HMG Cyber Discovery Programme, which was designed to show people how fun cybersecurity is.

The core of the program is CyberStart Go, which takes things that security researchers do day-to-day and boils them down to problem solving and puzzles wrapped in a narrative way where the players thwart online criminal gangs as a member of the cyber protection agency.  The goal of the program was to find a little over 4,000 people in four years. They had 27,000 in year one alone.

“We built the content all the way up to be incredibly challenging work in hyper realistic networks and environments,” said Lyne.

There is a community of about 2,000 people who log in to the game on a daily basis. When they released the newest content at 1a.m., within two minutes 70 students had started working on the challenge and worked through the morning.

“We created a wonderful community of addicts,” joked Lyne. “The upshot is we created an opportunity for people with amazing talent to discover their passion for cybersecurity and to relentlessly spend time learning,” he added.

Ultimately, the CyberStart Game enables large numbers of students to be assessed for these characteristics and reliably identifies as many as 7 percent who score extraordinarily high across the board and can be elite practitioners.

Col. Eric Toler, USA (Ret.), the inaugural executive director of the Georgia Cyber Center, shared his latest successes since the center opened a year and a half ago.

“We’ve created an ecosystem of government, academia and private industry where it’s kind of like having a CERTS event every day at the center,” said the colonel.

The state of Georgia has invested $106 million in the center and Col. Toler believes they are putting their money where their mouth is. Since opening they’ve hosted the Defense Innovation Board; trained hundreds of law enforcement professionals; Augusta Technical College and Augusta University had their highest freshman enrollments in the history of their organizations; Augusta University hired 10 new Ph.D. researchers; Parsons and Defense Digital Service held their ribbon cutting ceremonies; and they’ve signed leases with seven more industry partners on their campus. They hosted 500 middle and high school kids for field trips, held two CyberPatriot Camps, one of which was a result of last year’s CERTS, and sponsored Girls Go CyberStart competitions for the state.

He credits a lot of these accomplishments with going the extra mile. "Cybersecurity professionals have an obligation to inspire, teach, coach and mentor this next generation of cyber professionals. We have to be cyber evangelists,” stressed Col. Toler.

“Where we are seeing success is with people taking the extra step to get people inspired,” added the colonel. This includes extracurricular activities like Lyne’s game, competitions, after-school programs and partnerships.

Another key to building a world-class cybersecurity workforce is altering the pipeline and changing the perception of it. Michele Guel, Cisco, (who sent notes, but couldn’t attend CERTS) sees the need to ensure that the search for talent not only allows women and other underrepresented groups to participate, but that the tools are designed to be comfortable and enticing for those groups, and that employers are actively reaching out to let them know they are need. Cyber aptitude is not a male-only competence.

Col. Toler agreed, “If you Google cybersecurity right now, you’ll get a picture of a 25-year-old male with a hoodie on working alone in a basement. We need to change the perception of what cybersecurity is.”

Changes are also happening at the U.S. Army Cyber Center of Excellence. Col. David Haines, assistant commandant, Army Signal School, reported on how they are filling the critical skills gaps in the Army through direct-commission.

In FY17 they were authorized to do a pilot to direct-commission cyber professionals much like the Army brings in lawyers or doctors. Since late 2017, the center has had more than 700 applicants. So far there have been a total of nine appointments but there are about 10 more being reviewed right now.

The Army Signal School has also seen the benefits of problem-based learning, which means minimizing PowerPoint slides and getting soldiers on keyboard and keystrokes, said Col. Haines.